Third Circuit Takes Narrow View of PII Under the VPPA

Last week, the Third Circuit adopted a narrow definition of “personally identifiable information,” or “PII,” under the Video Privacy Protection Act (“VPPA”), joining the majority of district courts that have addressed similar issues. The VPPA defines PII as information that “identifies a person as having [obtained a video]” from a video tape service provider (“VTSP”).

In an appeal from the multi-district litigation In re Nickelodeon Consumer Privacy Litigation, the Third Circuit ruled that digital identifiers such as MAC addresses and IP addresses are not PII because the statutory definition of that term “applies only to the kind of information that would readily permit an ordinary person to identify a specific individual’s video-watching behavior.”

Background

Under the VPPA, a VTSP that knowingly discloses consumers’ PII to third parties can be liable for actual or statutory damages.

The plaintiffs in Nickelodeon focused on three types of static digital identifiers: IP addresses, browser fingerprints (i.e., the unique characteristics of browser and device settings), and unique device identifiers like MAC addresses or advertising identifiers. The plaintiffs alleged that Nickelodeon’s owner Viacom’s engagement of Google to serve ads on Viacom’s sites involved Viacom’s disclosure of URL information that “effectively revealed” what videos the plaintiffs watched, plus unique device identifiers that let Google link the plaintiffs’ video-watching to their real-world identities. They alleged that Viacom acted knowingly by letting Google host ads despite being aware of Google’s “ubiquitous presence on the Internet and its tracking of users.”

Viacom disagreed with the plaintiff’s broad interpretation of PII, pointing instead to the VPPA’s legislative history and historical context, which both concerned brick-and-mortar video stores’ ability to identify particular people as having engaged in specific transactions. Viacom urged that what it disclosed to Google was not the type of information Congress intended to be PII under the VPPA. According to Viacom, the data at issue could identify particular devices, but not particular people who had engaged in specific transactions. As a result, it could not be PII.

The Court’s Reasoning

The court agreed with Viacom, ruling that Congress’s purpose in passing the VPPA was narrowly restricted to preventing “disclosures of information that would, with little or no extra effort, permit an ordinary recipient to identify a particular person’s video-watching habits.”

As the court explained, data about people exists along a spectrum. On one end is a name. Next to that is information like telephone numbers that requires consultation with a public source to identify a person based on their telephone number. Then there is information like government identifiers that require more effort to identify a person, like contacting a government office. And finally, even further away from the most identifiable types of information, is information like the static identifiers at issue in Nickelodeon, which often require efforts like subpoenaing Internet service providers to identify associated people.

Based on this spectrum, the Third Circuit explained that given the VPPA’s history, Congress did not mean to adopt an extremely broad definition of PII, or to borrow other laws and rules’ definitions of PII. Instead, it meant only to serve a narrow purpose: prevent disclosure of ordinarily identifiable people’s video-watching histories.

Although the court noted that the VPPA could be interpreted to encompass technologies unforeseen at the statute’s passage, it ultimately disagreed that the definition of PII could stretch so far as to cover the static digital identifiers before it. The court expressly stated that it was not rendering the VPPA a dead letter with regard to new technologies. For example, it suggested Google purposefully leaking YouTube customers’ video-watching histories could violate the statute.

Moreover, the Third Circuit explained that it was not creating a split with the First Circuit’s decision in Yershov v. Gannett, which ruled that at least when combined with data like GPS coordinates, digital identifiers such as unique device IDs can be PII under the VPPA. Instead, implicitly referring to its discussion of the spectrum of identifiability, the Third Circuit said that Yershov merely concluded that GPS coordinates plus unique identifiers have more power to identify a specific person than IP addresses, lone device identifiers, or browser fingerprints.

Receipt Versus Disclosure

Additionally, the Third Circuit clarified that Google could not be liable under the VPPA for any purported receipt of PII from Viacom because the VPPA only creates liability for disclosure. As the court explained, this confusion comes almost exclusively from a 1996 District of New Jersey case ruling that Congress’s remedial purposes in passing the VPPA were best served by creating liability for the receipt (and thus possible later dissemination of) PII. As the Third Circuit explained, no other court has taken this view, and the Sixth and Seventh Circuits have explicitly rejected it. Consequently, only VTSPs that disclose PII can be liable under the VPPA.

Spokeo

Also notably, Nickelodeon is one of the first courts to address whether the Supreme Court’s May 16, 2016 decision in Spokeo, Inc. v. Robins might affect VPPA plaintiffs’ Article III standing. That case held that it was error for a court to focus just on whether a plaintiff’s purported injury was “particularized” without also assessing whether it was sufficiently “concrete.” The Supreme Court explained that even certain intangible harms could be sufficiently concrete for standing, such as purported injuries related to harms traditionally regarded as being bases for lawsuits, or Congress’s decision to make legally cognizable injuries that were previously inadequate at law.

The Third Circuit ruled that because Congress has long provided plaintiffs with the right to seek redress for unauthorized disclosures of private information, Spokeo did not bar the plaintiffs’ VPPA claim despite Viacom’s argument that disclosure of information about online activities was not an injury-in-fact.

So, as appellate courts continue to rule on what types of information constitute PII under the VPPA, the count now stands at 2–1 for a narrow reading of the statute, with the First Circuit’s Yershov remaining an outlier and the Third and Eleventh Circuits representing the majority view.

About the Covington Data Privacy and Cybersecurity group

Repeatedly ranked as having one of the best privacy practices in the world, Covington combines exceptional substantive expertise with an unrivaled understanding of the IT industry, and of e-commerce and digital media business models in particular. Read More